ADVERTISEMENT

When Does a Cyber Attack Become an ‘Act of War’?

As Chinese malware targets Indian power system, we question whether cyber attacks amount to an ‘act of war’

Published
Law
7 min read
 <p>Indian firms and government organisations are trying to get protection against cyber attacks and fix known vulnerabilities. Tension between India and China at the LAC in Ladakh has led to fear of a Chinese 'Cyber Offensive'</p>
i

Recorded Future, a US-based firm, has reported that Chinese state-sponsored actors may have used malware to target India’s power grid system and seaports. According to the New York Times, which broke this story, Recorded Future has claimed in its report that the 12 October 2020 grid failure in Mumbai, may have been caused by this malware.

This report has come in the backdrop of escalating border tensions between India and China, which actually led to a deadly skirmish at the Line of Actual Control (LOAC) in June 2020. As there’s a history of hostility between the two nations, the legality of such cyberattacks becomes a serious question. Are these cyberattacks a part of a larger armed conflict or a means to unleash an armed attack? Can these cyberattacks be attributed to the ongoing conflict between the two sovereign nations?

Most importantly, can India interpret such attacks as an ‘act of war’ to legitimise ‘retaliation' under the law on armed conflict?

Can India interpret Chinese hacking as an attack on its ‘political independence or sovereignty’? Does the international law on armed conflict describe such cyber attacks as an ‘armed attack’? Can India retaliate? If yes, then in what manner? These questions can be answered by looking at cyber attacks through the lens of the law on wars.

When Does a Cyber Attack Become an ‘Act of War’?

  1. 1. Cyberspace: A New Battlefield

    Almost every country is now using computer systems for their civil, security, and military infrastructure. This has made cyberspace attractive to both, state and non-state actors, to target the ‘vulnerable’ systems of rival countries to cause significant disruption at a far lower cost, in money and manpower, than conventional and mainly military options.

    Countries with advanced cyber capabilities have shown keen interest in targeting cyberspace for strategic interventions in other countries.

    1. In 2020, both Iranian and the American governments acknowledged cyber-attacks as central to their strategies.
    2. In 2010, Stuxnet, which some consider India’s first genuine cyber weapon, reportedly destroyed a fifth of Iran’s nuclear centrifuges.
    3. Russia has consistently targeted the critical civil infrastructure of Ukraine, leading to a large scale disruption to the internet as pro-Russian rebels took control of Crimea (2014), taking down the election commission 3 days before Ukraine’s Presidential elections (2014), and cutting off the power supply to around 250,000 people in western Ukraine.
    4. In 2007, a major cyber-attack on Estonia’s banking and communications system led to 22 days of civil unrest.

    USA has established ‘cyber commands’ as part of its Air Force and Navy. There is a consensus among NATO member-nations to invoke the principle of ‘collective self-defence’ when faced with complex cyber-attacks. South Korea and Saudi Arabia are also developing systems to “retaliate” when faced with “coordinated” and “sophisticated” cyber-attacks.

    Expand
  2. 2. Not Every Attack Is War

    While experts are divided on whether the existing framework of the law on armed conflict (LOAC) should be extended to cyber-attacks or not, there is broad agreement on distinguishing different kinds of cyber aggression.

    Every act of cyberspace targeting won’t amount to an ‘attack’ so as to invoke laws governing war. Centre for Strategic and International Studies, an American think-tank, argues that merely a violation of sovereignty is not enough. To invoke the right to self-defence under international law, an aggrieved nation will have to show that a cyber attack led to ‘substantial death’ or ‘physical destruction’ so as to qualify as an ‘armed attack’.

    The Tallinn Manual, a leading document on legality of cyber-warfare prepared by 19 international law scholars, recognise only those cyber attacks as part of armed conflict which “are reasonably expected to cause injury or death to persons or damage or destruction to objects”.

    Therefore, the threshold is understandably high. Instances of cyber espionage or data theft would ordinarily not justify action or retaliation under the law on armed conflict.

    Expand
  3. 3. How Can Law of War Apply To Cyber Warfare?

    The law on armed conflict consists of rules and state practices governing decisions to go to war and how to fight a war. Over the decades, the Geneva Convention, The Hague Convention, and the UN Charter, have been used to determine what amounts to ‘war’ and what kind of retaliation can be justified.

    The existing framework for law on armed conflict doesn’t envisage cyber warfare. While some experts say that cyber warfare can be read into the existing legal framework, others argue that it is inadequate and a new legal framework is required. However, there is a consensus on the threshold of ‘substantial damage’ that every cyber-attack will have to meet to qualify as an act of war.

    The Tallin Manual uses the definition provided in Article 2(4) of the UN Charter to argue that any cyber operation that “constitutes a threat or use of force against the territorial integrity or political independence of any state, or that in other manner is inconsistent with the purposes of United Nations is unlawful”. Such a cyber operation could trigger a response under the law on armed conflict.
    Expand
  4. 4. Who's The Enemy: The Problem of Fixing Blame

    Unlike conventional warfare, it is extremely difficult to conclusively identify the source of a transnational cyber attack. For instance, the Stuxnet attack against Iran is largely attributed to the US and Israel, but there’s no conclusive evidence for it. Similarly, while Germany blames Russia for hacking the computer systems of its Bundestag (Parliament), Russia is able to deny it, as there isn't sufficient proof.

    Another issue is the involvement of anonymous non-state actors. Most malware that has attacked critical civil infrastructure, including the recent Chinese malware in the Indian power system, has been attributed to private players. These non-state actors may very well be state-sponsored, but without conclusive evidence establishing a direct link, accusing another state of ‘an act of war’ would be diplomatically foolhardy.

    Then there’s a problem of ‘spoofing’. Persons initiating a cyber attack can resort to ‘spoofing’, which is falsify the identity of their server. For instance, a cyber system in Russia can initiate an attack, but while doing so, can falsify the identity of its server to suggest that the attack was routed through China. This further complicates the problem of attribution in cyber warfare.

    Some scholars, however, have suggested that states can act under the laws of armed conflict, even against non-state actors. They cite post 9/11 cyber operations of the US as a ‘state practice’ that has validated the use of retaliatory force against non-state actors as well.

    The Tallinn Manual puts an obligation on states to not allow their cyber-infrastructure to be used for unlawful activities against other states. This obligation applies regardless of whether an attack is attributable to a state actor or not.

    A state shall not knowingly allow the cyber infrastructure located in its territory or under its control to be used for acts that adversely and unlawfully affect other states.
    Tallinn Manual

    Scott J. Shackelford, an expert on the law of cyber warfare, argues that there’s no need to prove complete state control to attribute a cyber attack. Even if the state had an ‘operational control’ on the cyber-infrastructure used to target other states, the attack can be attributed to it.

    Expand
  5. 5. How Can 'Attacked' States Retaliate?

    Once the issue of attribution is resolved, or largely agreed upon, the next step would be to assess what level of cyber counter operation would be permissible under the law of armed conflict.

    Rule 13 of the Tallinn Manual states that a state targeted by a cyber operation that “rises to a level of an armed attack” would be allowed to exercise its “inherent right of self-defence” as enshrined under Article 51 of the UN Charter and customary international law. However, the force used by a state in its self-defence cyber operation should be proportionate and necessary.

    Mike Schmitt, an authority on cyber warfare and international law, argues that a state can still respond to a cyber operation that doesn’t meet the threshold of ‘armed conflict’ if the said cyber operation is part of an overall operation culminating in an armed attack or is an “irrevocable step in an imminent (near-term) and probably unavoidable attack”.

    Expand
  6. 6. Pre-emptive Measures For A Potential War?

    Experts are divided over treating cyber warfare and conventional warfare as the same under international law. But they all recognise the potential threats that cyber warfare can pose in the future, including the prospect of what Barack Obama called the ‘cyber arms race’.

    The Weapons Review of the International Committee of the Red Cross (ICRC) has asked all states to ensure that the means of cyber warfare that they acquire or use comply with the rules of LOAC that bind all states.

    Vincent Boulanin and Maaike Verbruggen of the Stockholm International Peace Research Institute (SIPRI) have argued for subjecting ‘cyber capabilities’ or ‘cyber weapons’ of states to a process that periodically reviews their compliance with the law on armed conflict. Such a legal review should address the following critical aspects of a state's cyber capabilities:

    1. Is it, in its normal and intended circumstances of use, likely to cause superfluous injury or would it lead to unnecessary suffering?
    2. Is it by nature indiscriminate? Under International Humanitarian Law, indiscriminate attacks are prohibited.
    3. Would its use be intended to, or be expected to, breach LOAC rules? The LOAC prohibits the use of certain kinds of weapons in warfare.
    4. Is there any provision of a treaty or customary international law that directly addresses it?
    Chatham House, a British think tank, has mooted an arms treaty comparable to the Chemical Weapons Convention, to regulate the cyber warfare. Such a treaty will also provide a framework for distinguishing offensive and defensive cyber weapons, while subjecting the former to prohibition.
    Expand

Cyberspace: A New Battlefield

Almost every country is now using computer systems for their civil, security, and military infrastructure. This has made cyberspace attractive to both, state and non-state actors, to target the ‘vulnerable’ systems of rival countries to cause significant disruption at a far lower cost, in money and manpower, than conventional and mainly military options.

Countries with advanced cyber capabilities have shown keen interest in targeting cyberspace for strategic interventions in other countries.

  1. In 2020, both Iranian and the American governments acknowledged cyber-attacks as central to their strategies.
  2. In 2010, Stuxnet, which some consider India’s first genuine cyber weapon, reportedly destroyed a fifth of Iran’s nuclear centrifuges.
  3. Russia has consistently targeted the critical civil infrastructure of Ukraine, leading to a large scale disruption to the internet as pro-Russian rebels took control of Crimea (2014), taking down the election commission 3 days before Ukraine’s Presidential elections (2014), and cutting off the power supply to around 250,000 people in western Ukraine.
  4. In 2007, a major cyber-attack on Estonia’s banking and communications system led to 22 days of civil unrest.

USA has established ‘cyber commands’ as part of its Air Force and Navy. There is a consensus among NATO member-nations to invoke the principle of ‘collective self-defence’ when faced with complex cyber-attacks. South Korea and Saudi Arabia are also developing systems to “retaliate” when faced with “coordinated” and “sophisticated” cyber-attacks.

ADVERTISEMENT

Not Every Attack Is War

While experts are divided on whether the existing framework of the law on armed conflict (LOAC) should be extended to cyber-attacks or not, there is broad agreement on distinguishing different kinds of cyber aggression.

Every act of cyberspace targeting won’t amount to an ‘attack’ so as to invoke laws governing war. Centre for Strategic and International Studies, an American think-tank, argues that merely a violation of sovereignty is not enough. To invoke the right to self-defence under international law, an aggrieved nation will have to show that a cyber attack led to ‘substantial death’ or ‘physical destruction’ so as to qualify as an ‘armed attack’.

The Tallinn Manual, a leading document on legality of cyber-warfare prepared by 19 international law scholars, recognise only those cyber attacks as part of armed conflict which “are reasonably expected to cause injury or death to persons or damage or destruction to objects”.

Therefore, the threshold is understandably high. Instances of cyber espionage or data theft would ordinarily not justify action or retaliation under the law on armed conflict.

How Can Law of War Apply To Cyber Warfare?

The law on armed conflict consists of rules and state practices governing decisions to go to war and how to fight a war. Over the decades, the Geneva Convention, The Hague Convention, and the UN Charter, have been used to determine what amounts to ‘war’ and what kind of retaliation can be justified.

The existing framework for law on armed conflict doesn’t envisage cyber warfare. While some experts say that cyber warfare can be read into the existing legal framework, others argue that it is inadequate and a new legal framework is required. However, there is a consensus on the threshold of ‘substantial damage’ that every cyber-attack will have to meet to qualify as an act of war.

The Tallin Manual uses the definition provided in Article 2(4) of the UN Charter to argue that any cyber operation that “constitutes a threat or use of force against the territorial integrity or political independence of any state, or that in other manner is inconsistent with the purposes of United Nations is unlawful”. Such a cyber operation could trigger a response under the law on armed conflict.
ADVERTISEMENT

How should the states identify whether a cyber operation meets the threshold of an armed attack? Rule 11 of the Tallinn Manual provides the following tests for states to make their force assessment:

  1. Severity: scope, duration and intensity of consequences to be considered
  2. Immediacy: the sooner consequences manifest, the fewer opportunities states have to seek peaceful resolution of a dispute
  3. Directness: cyber operations where cause and effect are directly linked
  4. Invasiveness: more secure a target cyber system, the greater the concern as to its penetration
  5. Measurability of effects: the more quantifiable and identifiable the consequences, the easier it is for states to assess use of force

Who's The Enemy: The Problem of Fixing Blame

Unlike conventional warfare, it is extremely difficult to conclusively identify the source of a transnational cyber attack. For instance, the Stuxnet attack against Iran is largely attributed to the US and Israel, but there’s no conclusive evidence for it. Similarly, while Germany blames Russia for hacking the computer systems of its Bundestag (Parliament), Russia is able to deny it, as there isn't sufficient proof.

Another issue is the involvement of anonymous non-state actors. Most malware that has attacked critical civil infrastructure, including the recent Chinese malware in the Indian power system, has been attributed to private players. These non-state actors may very well be state-sponsored, but without conclusive evidence establishing a direct link, accusing another state of ‘an act of war’ would be diplomatically foolhardy.

Then there’s a problem of ‘spoofing’. Persons initiating a cyber attack can resort to ‘spoofing’, which is falsify the identity of their server. For instance, a cyber system in Russia can initiate an attack, but while doing so, can falsify the identity of its server to suggest that the attack was routed through China. This further complicates the problem of attribution in cyber warfare.

Some scholars, however, have suggested that states can act under the laws of armed conflict, even against non-state actors. They cite post 9/11 cyber operations of the US as a ‘state practice’ that has validated the use of retaliatory force against non-state actors as well.

The Tallinn Manual puts an obligation on states to not allow their cyber-infrastructure to be used for unlawful activities against other states. This obligation applies regardless of whether an attack is attributable to a state actor or not.

A state shall not knowingly allow the cyber infrastructure located in its territory or under its control to be used for acts that adversely and unlawfully affect other states.
Tallinn Manual

Scott J. Shackelford, an expert on the law of cyber warfare, argues that there’s no need to prove complete state control to attribute a cyber attack. Even if the state had an ‘operational control’ on the cyber-infrastructure used to target other states, the attack can be attributed to it.

ADVERTISEMENT

How Can 'Attacked' States Retaliate?

Once the issue of attribution is resolved, or largely agreed upon, the next step would be to assess what level of cyber counter operation would be permissible under the law of armed conflict.

Rule 13 of the Tallinn Manual states that a state targeted by a cyber operation that “rises to a level of an armed attack” would be allowed to exercise its “inherent right of self-defence” as enshrined under Article 51 of the UN Charter and customary international law. However, the force used by a state in its self-defence cyber operation should be proportionate and necessary.

Mike Schmitt, an authority on cyber warfare and international law, argues that a state can still respond to a cyber operation that doesn’t meet the threshold of ‘armed conflict’ if the said cyber operation is part of an overall operation culminating in an armed attack or is an “irrevocable step in an imminent (near-term) and probably unavoidable attack”.

Pre-emptive Measures For A Potential War?

Experts are divided over treating cyber warfare and conventional warfare as the same under international law. But they all recognise the potential threats that cyber warfare can pose in the future, including the prospect of what Barack Obama called the ‘cyber arms race’.

The Weapons Review of the International Committee of the Red Cross (ICRC) has asked all states to ensure that the means of cyber warfare that they acquire or use comply with the rules of LOAC that bind all states.

Vincent Boulanin and Maaike Verbruggen of the Stockholm International Peace Research Institute (SIPRI) have argued for subjecting ‘cyber capabilities’ or ‘cyber weapons’ of states to a process that periodically reviews their compliance with the law on armed conflict. Such a legal review should address the following critical aspects of a state's cyber capabilities:

  1. Is it, in its normal and intended circumstances of use, likely to cause superfluous injury or would it lead to unnecessary suffering?
  2. Is it by nature indiscriminate? Under International Humanitarian Law, indiscriminate attacks are prohibited.
  3. Would its use be intended to, or be expected to, breach LOAC rules? The LOAC prohibits the use of certain kinds of weapons in warfare.
  4. Is there any provision of a treaty or customary international law that directly addresses it?
Chatham House, a British think tank, has mooted an arms treaty comparable to the Chemical Weapons Convention, to regulate the cyber warfare. Such a treaty will also provide a framework for distinguishing offensive and defensive cyber weapons, while subjecting the former to prohibition.
ADVERTISEMENT

While the prospect of a ‘cyber warfare treaty’ sounds promising, it doesn’t address the whole gamut of complexities that underpin cyber operations. For instance, the distinction between ‘offensive’ and ‘defensive’ weapons will not help in the case of ‘dual-use’ technology.

Moreover, some experts have argued for regulation instead of the complete prohibition of cyber weapons.

Also, how would a 'cyber warfare treaty' cover private players?

The framework for incorporating cyber warfare into law on armed conflict remains sketchy and under-developed, despite substantial strides being made in the recent past. While there have been frequent advancements in cyber technology, customary international law has remaining more or less static. International law must now adapt to the volatility of cyberspace.

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

ADVERTISEMENT
Stay Updated

Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.

Join over 120,000 subscribers!
ADVERTISEMENT